Skip to content

Commit 86be645

Browse files
tglsfdctglsfdc
committed
Doc: improve discussion of object owners' inherent privileges.
In particular, clarify that the role membership mechanism allows members to inherit the ownership privileges of an object's owning role. Laurenz Albe, with some kibitzing by me Discussion: https://postgr.es/m/504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at
1 parent a28704a commit 86be645

File tree

1 file changed

+13
-10
lines changed

1 file changed

+13
-10
lines changed

doc/src/sgml/ddl.sgml

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
15781578
</para>
15791579

15801580
<para>
1581-
The right to modify or destroy an object is always the privilege of
1582-
the owner only.
1581+
The right to modify or destroy an object is inherent in being the
1582+
object's owner, and cannot be granted or revoked in itself.
1583+
(However, like all privileges, that right can be inherited by
1584+
members of the owning role; see <xref linkend="role-membership"/>.)
15831585
</para>
15841586

15851587
<para>
@@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
16141616
</para>
16151617

16161618
<para>
1617-
To revoke a privilege, use the fittingly named
1619+
To revoke a previously-granted privilege, use the fittingly named
16181620
<xref linkend="sql-revoke"/> command:
16191621
<programlisting>
16201622
REVOKE ALL ON accounts FROM PUBLIC;
16211623
</programlisting>
1622-
The special privileges of the object owner (i.e., the right to do
1623-
<command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.)
1624-
are always implicit in being the owner,
1625-
and cannot be granted or revoked. But the object owner can choose
1626-
to revoke their own ordinary privileges, for example to make a
1627-
table read-only for themselves as well as others.
16281624
</para>
16291625

16301626
<para>
@@ -1638,6 +1634,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
16381634
<xref linkend="sql-revoke"/> reference pages.
16391635
</para>
16401636

1637+
<para>
1638+
An object's owner can choose to revoke their own ordinary privileges,
1639+
for example to make a table read-only for themselves as well as others.
1640+
But owners are always treated as holding all grant options, so they
1641+
can always re-grant their own privileges.
1642+
</para>
1643+
16411644
<para>
16421645
The available privileges are:
16431646

@@ -4695,7 +4698,7 @@ EXPLAIN SELECT count(*) FROM measurement WHERE logdate &gt;= DATE '2008-01-01';
46954698
</itemizedlist>
46964699
</para>
46974700
</sect2>
4698-
4701+
46994702
<sect2 id="ddl-partitioning-declarative-best-practices">
47004703
<title>Declarative Partitioning Best Practices</title>
47014704

0 commit comments

Comments
 (0)